COLUMN

Virtualization challenges traditional security concepts

By Eric Ogren 17 Feb 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There's no doubt you've heard from those who question how traditional security controls will work in virtual environments. Despite the uncertainties inherent in any new technology, there are a number of ways virtual systems actually improve security and make it more difficult for an attacker to steal sensitive information.

Virtualization gives IT the opportunity to challenge traditional security concepts and secure the technical business infrastructure more cost effectively. These security benefits can be realized from the greater control IT has over configuration of application environments, easier processes for vulnerability management, and rapid delivery of pristine application images to all points of the organization.

Virtual environments will still come under attack, but those attacks will not easily persist in an application environment and will have more difficulty permeating the organization. In essence, the attack surfaces of business applications are substantially reduced to where the virtual machines -- operating systems, application executables and configuration profiles -- are managed.

Virtualization outlook 2009: Virtualization security moves to the fore in 2009: Virtualization platform vendors such as VMware and Citrix gear up to enhance security, as mainstream security companies slowly adapt.

The first step to challenging traditional security approaches is to realize that all computerized systems are always at risk of a malicious attack. There is no security technology in place that will make any technical infrastructure totally secure. Virtualized systems will be no more immune than non-virtualized systems to attacks that masquerade as authorized software to steal data, or modify configurations to disrupt the business. Advances by virtualization vendors into securing the hypervisor, performing attestation integrity checks of VMs, and detecting new classes of attacks is an important ongoing effort to make the infrastructure as safe as possible. The opportunity for IT is to leverage virtualization to change the way the business delivers applications; to change the way the business is secured.

Here are three examples of how selected IT organizations have taken advantage of virtualization to offer a more secure business environment:

• A major financial organization is concerned with protecting consumer data that may be accessed from remote laptops. The solution implemented was to virtualize the sensitive applications in the datacenter. Since the confidential data never leaves the secure datacenter in this virtual solution, the company is less worried about data loss. Rather than rigorously deploying endpoint security software, the organization used virtualization to avoid the problem of consumer data accumulating on laptops.

• A regional energy utility needs to ensure constant uptime of its control systems. The utility has taken advantage of its virtual architecture to regularly rotate its control systems between data centers, refreshing the critical VMs every day. One security benefit of this simple approach is that a successful attack against a VM will not persist longer than the VM refresh cycle -- the attack expires when the VM expires. The other benefit is that the utility has effectively made disaster recovery a part of its standard operating procedure. The utility has used virtualization to mitigate the effect of attacks against its control systems.

• A national service organization has used virtualization to better manage the vulnerabilities of remote applications. The organization has realized substantial savings in management effort by applying software upgrades, patches, configuration control and security scans to VMs centralized in the data center before they are delivered to remote sites. IT has enhanced control over application environments and can rapidly deliver new versions throughout the organization.

The challenge is for IT to look at how virtualized architectures can help avoid common security issues while enhancing application availability. While security and virtualization vendors continue to make products more resilient to attacks, IT can use virtualization to dramatically alter the attack surfaces to benefit the business.

Tags: Virtualization Security Issues and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary